CVE-2026-31495 - Vulnerability Details

- netfilter: ctnetlink: use netlink policy range checks

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: use netlink policy range checks

Replace manual range and mask validations with netlink policy
annotations in ctnetlink code paths, so that the netlink core rejects
invalid values early and can generate extack errors.

- CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at
policy level, removing the manual >= TCP_CONNTRACK_MAX check.
- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE
(14). The normal TCP option parsing path already clamps to this value,
but the ctnetlink path accepted 0-255, causing undefined behavior when
used as a u32 shift count.
- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with
CTA_FILTER_F_ALL, removing the manual mask checks.
- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding
a new mask define grouping all valid expect flags.

Extracted from a broader nf-next patch by Florian Westphal, scoped to
ctnetlink for the fixes tree.

Published: 2026-04-22

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the Linux kernel’s ctnetlink code path arises from manual validation failures that permitted out‑of‑range values to be accepted by Netlink. In particular, the TCP window scale option previously accepted a shift count of 0-255, which is beyond the allowed maximum of 14. Using an illegal shift count can lead to undefined behavior and a kernel crash. The patch replaces these checks with Netlink policy annotations so that the kernel rejects such values at policy level, preventing the faulty code from executing.

Affected Systems

All Linux kernel releases that contain the unpatched ctnetlink implementation. The fix was merged in commit 2ef71307c86a9f866d6e28f1a0c06e2e9d794474; any downstream distribution shipping a kernel prior to that commit is susceptible. The affected system type is the kernel itself, with no vendor‑specific product constraint beyond the Linux kernel.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. The EPSS score is reported as less than 1%, showing a very low probability of exploitation in current deployments. The CVE is not listed in the CISA KEV catalog. The description does not explicitly state the required privilege level or whether the attack is local; based on the nature of the Netlink interface, the attack vector is inferred to be local or require elevated privileges. If an attacker can send malformed Netlink messages to ctnetlink, the kernel may crash, leading to a denial of service for the affected host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4`	affected	< 435b576cd2faa75154777868f8cbb73bf71644d3
`c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4`	affected	< 2ef71307c86a9f866d6e28f1a0c06e2e9d794474
`c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4`	affected	< 4f7d25f3f0786402ba48ff7d13b6241d77d975f5
`c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4`	affected	< fcec5ce2d73a41668b24e3f18c803541602a59f6
`c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4`	affected	< 675c913b940488a84effdeeac5a1cfb657b59804
`c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4`	affected	< c6cb41eaae875501eaaa487b8db6539feb092292
`c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4`	affected	< 45c33e79ae705b7af97e3117672b6cd258dd0b1b
`c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4`	affected	< 8f15b5071b4548b0aafc03b366eb45c9c6566704

Linux

affected

Version	Status	Constraints
`2.6.22`	affected	—
`0`	unaffected	< 2.6.22
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.131`	unaffected	≤ 6.6.*
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:2.6.22:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4,435b576cd2faa75154777868f8cbb73bf71644d3)`	affected	code_commit	—
`[c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4,2ef71307c86a9f866d6e28f1a0c06e2e9d794474)`	affected	code_commit	—
`[c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4,4f7d25f3f0786402ba48ff7d13b6241d77d975f5)`	affected	code_commit	—
`[c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4,fcec5ce2d73a41668b24e3f18c803541602a59f6)`	affected	code_commit	—
`[c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4,675c913b940488a84effdeeac5a1cfb657b59804)`	affected	code_commit	—
`[c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4,c6cb41eaae875501eaaa487b8db6539feb092292)`	affected	code_commit	—
`[c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4,45c33e79ae705b7af97e3117672b6cd258dd0b1b)`	affected	code_commit	—
`[c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4,8f15b5071b4548b0aafc03b366eb45c9c6566704)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.22`	affected	semver	—
`[0,2.6.22)`	unaffected	semver	—
`[0,5.10.*]`	unaffected	generic	—
`[0,5.15.*]`	unaffected	generic	—
`[0,6.1.*]`	unaffected	generic	—
`[0,6.6.*]`	unaffected	generic	—
`[0,6.12.*]`	unaffected	generic	—
`[0,6.18.*]`	unaffected	generic	—
`[0,6.19.*]`	unaffected	generic	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the ctnetlink netlink policy range check patch (commit 2ef71307c86a9f866d6e28f1a0c06e2e9d794474 or later).
If an immediate kernel upgrade is impractical, restrict access to the ctnetlink Netlink interface so that only privileged users may send messages, or disable the interface altogether if it is not required.
Continuously monitor kernel logs (e.g., dmesg, /var/log/kern.log) for indications of Netlink‑related crashes or abnormal activity, and investigate any suspicious entries promptly.

Generated by OpenCVE AI on April 28, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2ef71307c86a9f866d6e28f1a0c06e2e9d794474
https://git.kernel.org/stable/c/435b576cd2faa75154777868f8cbb73bf71644d3
https://git.kernel.org/stable/c/45c33e79ae705b7af97e3117672b6cd258dd0b1b
https://git.kernel.org/stable/c/4f7d25f3f0786402ba48ff7d13b6241d77d975f5
https://git.kernel.org/stable/c/675c913b940488a84effdeeac5a1cfb657b59804
https://git.kernel.org/stable/c/8f15b5071b4548b0aafc03b366eb45c9c6566704
https://git.kernel.org/stable/c/c6cb41eaae875501eaaa487b8db6539feb092292
https://git.kernel.org/stable/c/fcec5ce2d73a41668b24e3f18c803541602a59f6
https://lore.kernel.org/linux-cve-announce/2026042203-CVE-2026-31495-f86b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31495
https://www.cve.org/CVERecord?id=CVE-2026-31495

History

Tue, 28 Apr 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:2.6.22:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1287
References		https://lore.kernel.org/linux-cve-announce/2026042203-CVE-2026-31495-f86b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31495 https://www.cve.org/CVERecord?id=CVE-2026-31495
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use netlink policy range checks Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extack errors. - CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at policy level, removing the manual >= TCP_CONNTRACK_MAX check. - CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE (14). The normal TCP option parsing path already clamps to this value, but the ctnetlink path accepted 0-255, causing undefined behavior when used as a u32 shift count. - CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with CTA_FILTER_F_ALL, removing the manual mask checks. - CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding a new mask define grouping all valid expect flags. Extracted from a broader nf-next patch by Florian Westphal, scoped to ctnetlink for the fixes tree.
Title		netfilter: ctnetlink: use netlink policy range checks
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2ef71307c86a9f866d6e28f1a0c06e2e9d794474 https://git.kernel.org/stable/c/435b576cd2faa75154777868f8cbb73bf71644d3 https://git.kernel.org/stable/c/45c33e79ae705b7af97e3117672b6cd258dd0b1b https://git.kernel.org/stable/c/4f7d25f3f0786402ba48ff7d13b6241d77d975f5 https://git.kernel.org/stable/c/675c913b940488a84effdeeac5a1cfb657b59804 https://git.kernel.org/stable/c/8f15b5071b4548b0aafc03b366eb45c9c6566704 https://git.kernel.org/stable/c/c6cb41eaae875501eaaa487b8db6539feb092292 https://git.kernel.org/stable/c/fcec5ce2d73a41668b24e3f18c803541602a59f6

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:17.591Z

Updated: 2026-05-11T22:09:50.284Z

Reserved: 2026-03-09T15:48:24.102Z

Link: CVE-2026-31495

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-22T14:16:47.500

Modified: 2026-04-28T14:44:15.573

Link: CVE-2026-31495

Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31495 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T21:00:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object